Hello,
I'm trying to use Timewrap command dynamically. Indeed, in the documentation, it is written you can filter the date:
.... | timechart count span=1h | timewrap w | where strftime(_time, "%A") == "Wednesday"
This works on my data set, but when I want "Wednesday" to be "the day it was 1 hour before from now", it doesn't work. Here is what I do:
| timechart count span=1h | eval time_lasthour=relative_time(now(), "-1h@h" ) | eval day_lasthour=strftime(time_lasthour,"%A") | timewrap w | where strftime(_time, "%A") == day_lasthour
Although the variable "day_lasthour" contains the right day, it isn't applied in the WHERE clause... Any idea to make the variable "day_lasthour" work in the WHERE clause ?
Thank you
Try moving timewrap w
to the end
I created a set of evals contained in a macro for week over week comparison. Here is an example search you can reverse engineer. The magic happens in evals -- week[1-4] and bucket_range. date_wnum is to correctly order the days. Then you simply add bucket_range to your by clause.
earliest=-28d@d latest=-0d@d index=main sourcetype=access_combined status=404
| fields date_wday user
| eval date_wday=if(isnull(date_wday),lower(strftime(_time,"%A")),date_wday)
| eval week1=relative_time(now(),"-7d@d")
| eval week2=relative_time(now(),"-14d@d")
| eval week3=relative_time(now(),"-21d@d")
| eval week4=relative_time(now(),"-28d@d")
| eval bucket_range=case( week1 <= _time, strftime(week1,"%m-%d")+" - "+strftime(now()-86400,"%m-%d"), week2 <= _time, strftime(week2,"%m-%d")+" - "+strftime(week1-86400,"%m-%d"), week3 <= _time, strftime(week3,"%m-%d")+" - "+strftime(week2-86400,"%m-%d"), week4 <= _time, strftime(week4,"%m-%d")+" - "+strftime(week3-86400,"%m-%d"))
| eval date_wnum=case(date_wday=lower(strftime(now(),"%A")),0,date_wday=lower(strftime(now()+86400,"%A")),1,date_wday=lower(strftime(now()+(86400*2),"%A")),2,date_wday=lower(strftime(now()+(86400*3),"%A")),3,date_wday=lower(strftime(now()+(86400*4),"%A")),4,date_wday=lower(strftime(now()+(86400*5),"%A")),5,date_wday=lower(strftime(now()+(86400*6),"%A")),6)
| eval date_wday=date_wnum+date_wday
| chart count(user) AS count over date_wday by bucket_range | eval date_wday=replace(date_wday,"\d","") | rename date_wday AS weekday
I think you'll have to evaluate all your fields first, extract what date you want, then create a search with splunk fields "earliest" and "latest", then apply your timechart to that search.
Try putting the timewrap after the where command. Just a hunch.
No luck...